History of British Phreaking
by Lex Luthor and The Legion of Doom
In Britain, phreaking goes back to the early fifties, when the technique of "Toll A Drop Back" was discovered.
Toll A was an exchange near St. Pauls which routed calls between London and nearby non-London exchanges. The trick was to dial an unallocated number, and then depress the receiver - rest for 1/2 second.
This flashing initiated the "Clear Forward" signal, leaving the caller with an open line into the Toll A exchange. He could then dial 018, which forwarded him to the trunk exchange - at that time, the first long-distance exchange in Britain- and follow it with the code for the distant exchange to which he would be connected at no extra charge.
The signals needed to control the U.K. network today were published in the Institution of Post Office Engineers Journal and reprinted in The Sunday Times (October 15, 1972).
Note: The British Post Office is the U.K. equivalent to Ma Bell.)
The signaling system is called Signaling System No. 3 and it uses pairs of frequencies selected from six tones separated by 120 Hz. With that info, the phreaks made "Bleepers" or as they are called here in the U.S. "Blue Boxes". The British, though, utilize different MF tones then the U.S., thus, your U.S. Blue Box that you smuggled into the U.K. will not work, unless you change the frequencies.
(In the early seventies, a simpler system based on different numbers of pulses with the same frequency [2280 Hz] was used. For more info on that, try to get ahold of: Atkinson's Telephony and Systems Technology.)
Boxing in Foreign Lands
The following are timing and the frequencies for boxing in the U.K. and other foreign countries. Special thanks to Peter McIvers for the following info:
British: "Bleeper Boxes" have the very same layout as U.S. Blue Boxes. The frequencies are different, though. They use two sets of frequencies, Forward and Backward.
Forward signals are sent out by the Bleeper Box; the Backward signals may be ignored (it's sort of like using full-duplex). The frequencies are as follows:
U.S.: 700 900 1100 1300 1500 1700 Hz U.K. Forward: 1380 1500 1620 1740 1860 1980 Hz U.K. Backward: 1140 1020 90 780 660 540 HzFor example, change the 900 Hz potentiometers in your box to 1500 Hz.
All numbers 1-0 (10) are in the same order as in an American box.
The ones after this are their codes for:
- 11 - Operator
- 12 - Operator
- 13, 14, 15 - Spare
One of these is KP. One (probably 15) is star (*). It won't be too hard to figure out.
The signals should carry -11.5 dBm (+/- 1 dBm) onto the line. The frequencies should be within +/- 4 Hz (as is the British equipment).
Also, the 1VF system is still in operation in parts of the U.K. This would encode all signals 1 to 16 as binary numbers.
For instance, a five is: 0101
There are six intervals per digit, each 50 ms long or a total of 300 ms.
First is a start pulse of 2280 Hz for 50 ms. Then, using the example of five ( 0101), there is a 50 ms pause, a 50 ms pulse of 2280 Hz, a 50 ms pause, and a 50 ms pulse of 2280 Hz.
Finally, there is a 50 ms pause that signals the end of the digit.
1 2 3 4 5 6 2280 Hz pulse | pause | 2280 Hz pulse | pause | 2280 Hz pulse | pauseThe frequency tolerance on the 2280 Hz is +/- 0.3%. It is sent at -6 dBm (+/- 1 dBm).
An idle line is signaled by the presence of a 3825 Hz tone for more than 650 ms. This must be within 4 Hz.
France: Uses the same box codes as the U.S., with an additional 1900 Hz acknowledgment signal, at -8.7 dBm (+/- 1 dBm) per frequency.
Spain: Uses a two out of five MF code (same frequencies as U.S.), with a 1700 Hz acknowledge signal.
Other places using the 1VF system are:
Australia: 2280Hz (+/- 6 Hz), 35 ms per digit at -6 dBm.
Germany: Same as Australia.
France: Same as Australia.
Switzerland: Same as Australia, only it uses 3000 Hz, not 2280 Hz.
Sweden: Same as Switzerland, but at 2400 Hz
Spain: Some parts use 1VF with 2500 Hz.
There is one other major system: the 2VF system.
In this system, each digit is 35 ms long. The number is encoded in binary as with the 1VF system.
Using the example of five (0101), here's how the American 2VF system was sent:
1 2 3 4 5 6 7 8 2400 Hz pulse | pause | 2040 Hz pulse | pause | 2400 Hz pulse | pause | 2040 Hz pulse | pauseThe digits and pauses are all 35 ms long, for a total of 280 ms per digit. Other countries are still using a similar high/low pair with the same timings.
With the 2VF system, all frequencies should be within 2 Hz.
Some parts of Italy use the 1VF system with 2040 Hz, some use the 2VF system with 2040 Hz and 2400 Hz (same as original U.S.)
The Netherlands: Uses a 2VF system with 2400 Hz and 2500 Hz pulses.
Also, here are some specs for American phone equipment:
Dial Tone: 350 Hz + 440Hz, -17.5 to -14.5 dBm per tone.
Off-Hook (ROH): 1400 Hz + 2060 Hz + 2450 Hz + 2600 Hz(!) on/off, five times per second.
Busy: 480 Hz + 620 Hz, slow busy: 0.5 sec (+/- 0.05 sec) = 1 period (about twice a second), at -28.5 to -22.5 dBm per tone.
Ring: 440 Hz + 480 Hz at -23.5 to -20.5 dBm per tone. A ring is modulated at 20 Hz (+/- 3 Hz), 2 sec on, 4 sec off.
Call Waiting: 440 Hz, on 1 second.
Recorder Connection: 140 0Hz, beeps every 15 minutes.
Multiparty Line Ring: Same frequency and modulation as ring, but 1 sec on, 2 sec off (twice as fast).
Titan the Scanner
In the early days of British phreaking, the Cambridge University Titan Computer was used to record and circulate numbers found by the exhaustive dialing of local networks. These number's were used to create a chain of links from local exchange to local exchange across the country, bypassing the trunk circuits.
Because the internal routing codes in the U.K. network are not the same as those dialed by the caller, the phreaks had to discover them by "probe and listen" techniques or more commonly known in the U.S. as scanning.
What they did was put in likely signals and listened to find out if they succeeded. The results of scanning were circulated to other phreaks. Discovering each other took time at first, but eventually the phreaks became organized. The TAP of Britain was called Undercurrents which enabled British phreaks to share the info on new numbers, equipment, etc.
To understand what the British phreaks did, think of the phone network in three layers of lines: Local, trunk, and international.
In the U.K., Subscriber Trunk Dialing (STD), is the mechanism which takes a call from the local lines and (legitimately) elevates it to a trunk or international level. The U.K. phreaks figured that a call at trunk level can be routed through any number of exchanges, provided that the right routing codes were found and used correctly. They also had to discover how to get from local to trunk level either without being charged (which they did with a Bleeper Box) or without using (STD).
Chaining has already been mentioned but it requires long strings of digits and speech gets more and more faint as the chain grows, just like it does when you stack trunks back and forth across the U.S. The way the security reps snagged the phreaks was to put a simple "printermeter" or pen register, as we call it, on the suspects line, which shows every digit dialed from the subscribers line.
The British prefer to get onto the trunks rather than chaining. One way was to discover where local calls use the trunks between neighboring exchanges, start a call and stay on the trunk instead of returning to the local level on reaching the distant switch. This again required exhaustive dialing and made more work for Titan; it also revealed "fiddles," which were inserted by Post Office Engineers.
What fiddling means is that the engineers rewired the exchanges for their own benefit. The equipment is modified to give access to a trunk with out being charged, an operation which is pretty easy in Step-by-Step (SXS) electromechanical exchanges, which were installed in Britain even in the 1970s.
A famous British "fiddler" revealed in the early 1970s worked by dialing 173. The caller then added the trunk code of 1 and the subscribers local number. At that time, most engineering test services began with 17X, so the engineers could hide their fiddles in the nest of service wires. when security reps started searching, the fiddles were concealed by tones signaling: "number unobtainable" or "equipment engaged" which switched off after a delay. The necessary relays are small and easily hidden.
There was another side to phreaking in the U.K. in the sixties. Before STD was widespread, many "ordinary" people were driven to occasional phreaking from sheer frustration at the inefficient operator controlled trunk system. This came to a head during a strike about 1961 when operators could not be reached.
Nothing complicated was needed. Many operators had been in the habit of repeating the codes as they dialed the requested numbers so people soon learned the numbers they called frequently. The only "trick" was to know which exchanges could be dialed through to pass on the trunk number. Callers also needed a pretty quiet place to do it, since timing relative to clicks was important.
The most famous trial of British phreaks was called the Old Baily trial which started on October 3, 1973.
What the phreaks did was to dial a spare number at a local call rate but involving a trunk to another exchange. Then they send a "Clear Forward" to their local exchange, indicating to it that the call is finished - but the distant exchange doesn't realize because the caller's phone was still off the hook. They now have an open line into the distant trunk exchange and they sent a "seize" signal (1) which puts them onto the outgoing lines.
Since they figured out the codes, the world is open to them. All other exchanges trust his local exchange to handle the billing - they just interpret the tones they hear.
Meanwhile, the local exchange only collected for a local call. The investigators discovered the phreaks holding a conference somewhere in England surrounded by various phone equipment and Bleeper Boxes, also printouts listing "secret" Post Office codes.
The judge said, "Some take to heroin, some take to telephones." For them phone phreaking was not a crime but a hobby to be shared with phellow enthusiasts and discussed with the Post Office openly over dinner and by mail. Their approach and attitude to the worlds largest computer, the global telephone system, was that of scientists conducting experiments or programmers and engineers testing programs and systems.
The judge appeared to agree, and even asked them for phreaking codes to use from his local exchange!